diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js index 6b856ac59b27b3..9ee6fdc8ac1549 100644 --- a/test/parallel/test-tls-min-max-version.js +++ b/test/parallel/test-tls-min-max-version.js @@ -8,9 +8,11 @@ const { assert, connect, keys, tls } = require(fixtures.path('tls-connect')); const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION; +const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION; -function test(cmin, cmax, cprot, smin, smax, sprot, expect) { - assert(expect); + +function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) { + assert(proto || cerr || serr, 'test missing any expectations'); connect({ client: { checkServerIdentity: (servername, cert) => { }, @@ -27,8 +29,20 @@ function test(cmin, cmax, cprot, smin, smax, sprot, expect) { secureProtocol: sprot, }, }, common.mustCall((err, pair, cleanup) => { - if (err) { - assert.strictEqual(err.code, expect, err + '.code !== ' + expect); + function u(_) { return _ === undefined ? 'U' : _; } + console.log('test:', u(cmin), u(cmax), u(cprot), u(smin), u(smax), u(sprot), + 'expect', u(proto), u(cerr), u(serr)); + if (!proto) { + console.log('client', pair.client.err ? pair.client.err.code : undefined); + console.log('server', pair.server.err ? pair.server.err.code : undefined); + if (cerr) { + assert(pair.client.err); + assert.strictEqual(pair.client.err.code, cerr); + } + if (serr) { + assert(pair.server.err); + assert.strictEqual(pair.server.err.code, serr); + } return cleanup(); } @@ -37,8 +51,8 @@ function test(cmin, cmax, cprot, smin, smax, sprot, expect) { assert.ifError(pair.client.err); assert(pair.server.conn); assert(pair.client.conn); - assert.strictEqual(pair.client.conn.getProtocol(), expect); - assert.strictEqual(pair.server.conn.getProtocol(), expect); + assert.strictEqual(pair.client.conn.getProtocol(), proto); + assert.strictEqual(pair.server.conn.getProtocol(), proto); return cleanup(); })); } @@ -49,22 +63,28 @@ const U = undefined; test(U, U, U, U, U, U, 'TLSv1.2'); // Insecure or invalid protocols cannot be enabled. -test(U, U, U, U, U, 'SSLv2_method', 'ERR_TLS_INVALID_PROTOCOL_METHOD'); -test(U, U, U, U, U, 'SSLv3_method', 'ERR_TLS_INVALID_PROTOCOL_METHOD'); -test(U, U, 'SSLv2_method', U, U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); -test(U, U, 'SSLv3_method', U, U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); -test(U, U, 'hokey-pokey', U, U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); -test(U, U, U, U, U, 'hokey-pokey', 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, U, U, U, 'SSLv2_method', + U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, U, U, U, 'SSLv3_method', + U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'SSLv2_method', U, U, U, + U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'SSLv3_method', U, U, U, + U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'hokey-pokey', U, U, U, + U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, U, U, U, 'hokey-pokey', + U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); // Cannot use secureProtocol and min/max versions simultaneously. test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method', - 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); + U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method', - 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); + U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U, - 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); + U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); test('TLSv1.2', U, 'TLS1_2_method', U, U, U, - 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); + U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); // TLS_method means "any supported protocol". test(U, U, 'TLSv1_2_method', U, U, 'TLS_method', 'TLSv1.2'); @@ -79,18 +99,23 @@ test(U, U, 'TLS_method', U, U, 'TLSv1_method', 'TLSv1'); test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method', 'TLSv1.2'); if (DEFAULT_MIN_VERSION === 'TLSv1.2') { - test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'ECONNRESET'); - test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', 'ECONNRESET'); + test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); + test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', - 'ERR_SSL_VERSION_TOO_LOW'); - test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', 'ERR_SSL_VERSION_TOO_LOW'); + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); } if (DEFAULT_MIN_VERSION === 'TLSv1.1') { test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'TLSv1.1'); - test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', 'ECONNRESET'); + test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); - test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', 'ERR_SSL_VERSION_TOO_LOW'); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); } if (DEFAULT_MIN_VERSION === 'TLSv1') { @@ -108,18 +133,34 @@ test(U, U, 'TLSv1_method', U, U, 'TLSv1_method', 'TLSv1'); // The default default. if (DEFAULT_MIN_VERSION === 'TLSv1.2') { - test(U, U, 'TLSv1_1_method', U, U, U, 'ECONNRESET'); - test(U, U, 'TLSv1_method', U, U, U, 'ECONNRESET'); - test(U, U, U, U, U, 'TLSv1_1_method', 'ERR_SSL_VERSION_TOO_LOW'); - test(U, U, U, U, U, 'TLSv1_method', 'ERR_SSL_VERSION_TOO_LOW'); + test(U, U, 'TLSv1_1_method', U, U, U, + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); + test(U, U, 'TLSv1_method', U, U, U, + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); + + if (DEFAULT_MAX_VERSION === 'TLSv1.2') { + test(U, U, U, U, U, 'TLSv1_1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + test(U, U, U, U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + } else { + assert(false, 'unreachable'); + } } // The default with --tls-v1.1. if (DEFAULT_MIN_VERSION === 'TLSv1.1') { test(U, U, 'TLSv1_1_method', U, U, U, 'TLSv1.1'); - test(U, U, 'TLSv1_method', U, U, U, 'ECONNRESET'); + test(U, U, 'TLSv1_method', U, U, U, + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); test(U, U, U, U, U, 'TLSv1_1_method', 'TLSv1.1'); - test(U, U, U, U, U, 'TLSv1_method', 'ERR_SSL_VERSION_TOO_LOW'); + + if (DEFAULT_MAX_VERSION === 'TLSv1.2') { + test(U, U, U, U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + } else { + assert(false, 'unreachable'); + } } // The default with --tls-v1.0.